Default Web and FTP Scanning Settings

After installation, your HTTP and FTP traffic is scanned by default for viruses, worms, and Trojans. Malware, such as spyware and other grayware, require a configuration change before they are detected. If you have a Plus License, you can block or allow URLs classified as phishing sites during work or leisure time.

Note Some categories, such as pornography, are blocked by default. Customers should review the categories blocked by default and make the appropriate adjustments. With a Plus License for URL filtering and blocking, URLs can be blocked with both global and/or user/group policies.

Table 4-1 summarizes the web and file transfer configuration settings, and the default values that are in effect after installation.

HTTP downloads and file transfers (FTP) for files in which malware is detected

Clean the downloaded file or file in which the malware was detected.

If uncleanable, delete the file.

HTTP downloads and file transfers (FTP) for files in which spyware or grayware is detected

Files are deleted.

HTTP downloads when malware is detected

An notification is inserted in the browser, stating that Trend Micro InterScan for CSC SSM has scanned the file you are attempting to transfer, and has detected a security risk.

File transfers (FTP) notification

The FTP reply has been received.

These default settings give you some protection for your web and FTP traffic after you install CSC SSM. You may change these settings. For example, you may want to scan by the "Specified file extensions" option instead of by the "All Scannable Files" option for malware detection. Before making changes, review the online help for more information about these selections.

After installation, you may want to update additional configuration settings to obtain the maximum protection for your web and FTP traffic. You must configure these additional features if you purchased the Plus License, which entitles you to receive web reputation, URL blocking, and URL filtering functionality (for both global and user/group policies).

Downloading Large Files

The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size of the largest download you want scanned. For example, you might specify that a download smaller than 20 MB is scanned, but a download larger than 20 MB is not scanned.

In addition, you can:

•Specify large downloads to be delivered without scanning, which may introduce a security risk.

•Specify that downloads greater than the specified limit are deleted.

By default, the CSC SSM software specifies that files smaller than 50 MB are scanned, and files 50 MB and larger are delivered without scanning to the requesting client.

Deferred Scanning

The deferred scanning feature is not enabled by default. When enabled, this feature allows you to begin downloading data without scanning the entire download. Deferred scanning allows you to begin viewing the data without a prolonged wait while the entire body of information is scanned.

Caution When deferred scanning is enabled, the unscanned portion of information can introduce a security risk.

If deferred scanning is not enabled, the entire content of the download must be scanned before it is presented to you. However, some client software may time out because of the extra time required to collect sufficient network packets to compose complete files for scanning. Table 4-1 summarizes the advantages and disadvantages of each method.

Table 4-2 Deferred Scanning Safety Comparison

Method

Advantage

Disadvantage

Deferred scanning enabled

Prevents client timeouts.

May introduce a security risk.

Deferred scanning disabled

Safer. The entire file is scanned for security risks before being presented to you.

May result in the client timing out before the download is completed.

Note Traffic moving via HTTPS cannot be scanned for viruses and other threats by the CSC SSM software.

When the file is eventually scanned by CSC SSM, it may be found to contain malicious content. If so, CSC SSM takes following action:

•Sends a notification message, provided notifications are enabled.

•Logs the event details.

•Automatically blocks the URL from other users for four hours after malicious code detection. Access to the URL is restored after four hours elapses, and content from it will be scanned.

If CSC SSM has been registered to a Damage Cleanup Services (DCS) server, a DCS clean-up request is issued under one of the following conditions:

•Someone (usually using a client PC) attempts to access a URL classified as Spyware, Disease Vector, or Virus Accomplice through URL Filtering (requires a Plus License).

•Someone (usually using a client PC) uploads a virus classified as a "worm."

Spyware and Grayware Detection and Cleaning

Grayware is a category of software that may be legitimate, unwanted, or malicious. Unlike threats such as viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it may violate your privacy. Examples of grayware include spyware, adware, and remote access tools.

Spyware or grayware creates two main problems to network administrators. It can compromise sensitive company information and reduce employee productivity by causing infected machines to malfunction. In addition to detecting and blocking incoming files that may install spyware, CSC SSM can prevent installed spyware from sending confidential data via HTTP.

If a client tries to access a URL classified as Spyware, Disease Vector, or Virus Accomplice, or a client PC uploads a virus classified as a worm as a web mail attachment, CSC SSM can send a request to Trend Micro DCS to clean the infected machine. DCS reports the outcome of the cleaning attempt (as either successful or unsuccessful) to the CSC SSM server.

If the cleaning attempt is not successful, the client's browser is redirected to a special DCS-hosted cleanup page the next time the browser tries to access the Internet. This page contains an ActiveX control that again tries to clean the infected machine. If access permissions were the reason for the first failed cleaning attempt, the ActiveX control may be successful where cleaning via remote logon was unsuccessful.

Note To avoid excessive cleanup attempts, CSC SSM only sends requests to clean up a target IP address once every four hours by default. If the client at that IP address continues to perform suspicious actions, then no further cleanup requests will be issued until this lockout period has expired. You can modify the length of this lockout period by going to /opt/trend/isvw/config/web/intscan.ini on the CSC SSM and changing the value of the [DCS]/cleanup_lockout_hours field. The value in this field is interpreted as the number of hours, and partial values (such as 0.5) are supported.

Detecting Spyware and Grayware

Spyware or grayware detection is not enabled by default. To detect spyware and other forms of spyware and other grayware in your web and file transfer traffic, you must configure this feature in the following windows:

Scanning Webmail

As specified in Table 4-1, web mail scanning for Yahoo, AOL, MSN Hotmail, and Google is already configured by default.

Caution If you elect to scan only webmail, HTTP scanning is restricted to the sites specified on the Webmail Scanning tab of the Web (HTTP/HTTPS) > Scanning > HTTP Scanning window. Other HTTP traffic is not scanned. Configured sites are scanned until you remove them from scanning by clicking the
Trashcan icon.

Step 4 In the Match field, enter the exact website name/IP address, a URL keyword, and a string.

Step 5 Choose the appropriate radio button to correspond with the text entered in the Match field.

Note Attachments to messages that are managed via web mail are scanned.

Step 6 Click Add.

Step 7 Click Save to update your configuration.

For more information about how to configure additional web mail sites for scanning, see the online help.

File Blocking

This feature is enabled by default; however, you must specify the types of files you want blocked. File blocking helps you enforce your organization policies for Internet use and other computing resources during work time. For example, your company does not allow downloading of music, both because of legal issues as well as employee productivity issues.

Step 3 To block the transferring of music files, on the Targettab of the File Blocking window, check the Audio/Video check box, as shown in Figure 4-1.

By default, compressed music files will be blocked. To disable file blocking for compressed files containing true file types, check the No radio button for the "Do you also want to block compressed files containing the selected file type(s)" option, as shown in Figure 4-1.

Note File blocking for FTP does not support the blocking of compressed files containing true file types.

For more information about file blocking and for information about deleting file extensions you no longer want to block, see the online help.

Step 7 To view the default notification that displays in the browser or FTP client when a file blocking event is triggered, click the Notifications tab of the File Blocking window.

Step 8 To customize the text of these messages, select and redefine the default message. An optional notification to the administrator is available for HTTP file-blocking events, but is turned off by default. Check the Send the following message check box to activate the notification.

Step 9 Click Save when you are finished to update the configuration.

URL Blocking

This section describes the URL blocking feature, and includes the following topics:

The URL blocking feature helps you prevent employees from accessing prohibited websites. For example, you may want to block some sites because policies in your organization prohibit access to dating services, online shopping services, or offensive sites. URL blocking policies, set by going to Web (HTTP/HTTPS) > Global Settings > URL Blocking, affect all users. URL blocking policies can also be set for specific users or groups. For more information, see the "URL Blocking and Filtering Policies for Users/Groups" section.

Note This feature requires the Plus License.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.

You may also want to block sites that are known for perpetrating fraud, such as phishing. Phishing is a technique used by criminals who send e-mail messages that appear to be from a legitimate organization, which request revealing private information such as bank account numbers. Figure 4-2 shows an example of an e-mail message used for phishing.

Figure 4-2 Example of Phishing

By default, URL blocking is enabled (including blocking URLs based on user group policies).

Blocking from the HTTP Local List Tab

To configure URL blocking from the Via Local List tab, perform the following steps:

Step 2 On the HTTP Local Listtab of the URL Blocking window, type the URLs you want to block in the Match field. You can specify the exact website name/IP address, a URL keyword, or a string.

See the online help for more information about formatting entries in the Match field.

Step 3 To move the URL to the Block List, click Block after each entry. To specify your entry as an exception, click Do Not Block to add the entry to Block List Exceptions. Entries remain as blocked or exceptions until you remove them.

Note You can also import a block and exception list. The imported file must be in a specific format. See the online help for instructions.

Figure 4-3 URL Blocking Window

Blocking from the HTTPS Local List Tab

To configure URL blocking from the HTTPS Local List tab, perform the following steps:

Step 3 On the HTTPS Local Listtab of the URL Blocking window, type the domains or IP addresses you want to block. You can specify the exact domain name/IP address as these examples show: example.com or 1.1.1.1.

See the online help for more information about formatting entries in this field.

Step 4 To move the URL to the Block List, click Block after each entry. To specify your entry as an exception, click Do Not Block to add the entry to Block List Exceptions. Entries remain as blocked or exceptions until you remove them.

Note You can also import a block and exception list. The imported file must be in a specific format. See the online help for instructions.

After you have created a list of blocked URLs, they will appear in the Block List area. You can select individual URLs to remove them from the list, or select them all and click Remove All.

Step 5 Be sure to click Save to preserve your work before exiting the screen.

Important Note

URL filtering and URL blocking are determined according to the IP address or domain name of the website. If you use the domain name to perform URL filtering or URL blocking, the browser must support the Server Name Indication (SNI) extension of TLS. As a result, you must make sure that you have enabled TLS and that your browser supports SNI. The following lists the browsers that support the SNI extension and that the CSC SSM also supports:

Browser

Version

Windows IE

7.0 or later on Vista or higher. Does not work on XP with IE 8.0.

Mozilla Firefox

2.0 or later.

Google Chrome

Vista or higher. XP on Chrome 6 or later. OSX 10.5.7 or higher on Chrome 5.0.342.1 or later.

If you use a browser that does not support SNI (for example, IE on the Windows XP series), the IE browser does not send the domain name in the SSL handshake of an HTTPS request. The CCS SSM uses the IP address of the HTTPS site to perform categorization instead of the domain name. As a result, the behavior of the IE browser might be different from that of other browsers that support SNI, such as Firefox, which uses the domain name to perform categorization.

Block List Exceptions

You can also create a list of URLs that you do not wish to block or receive filtering by CSC. This list is populated by clicking Do Not Block in the previous procedures.

URL Blocking Notifications

A configurable message informs the end user when CSC SSM detects an attempt to access a blocked URL via HTTP. A default notification message is provided, but other text and variables can be used to create a custom message. URL blocking and URL filtering use the same notification message.

Step 3 Use the variables or tokens listed in the online help to customize your message.

Step 4 Click Restore Default to return to the default message.

Step 5 Click Save to save your work in this screen.

URL Filtering

The URLs defined on the URL blocking windows described previously are either always allowed or always disallowed. The URL filtering feature, however, allows you to filter URLs in categories, which you can schedule to allow access during certain times, such as leisure and work time. URL filtering policies set through Web (HTTP/HTTPS) > Global Settings > URL Filtering affect all users. URL filtering policies can also be set for specific users or groups. For more information, see the "URL Blocking and Filtering Policies for Users/Groups" section.

Note This feature requires the Plus License.

Because URL filtering is based on the IP or domain name of a website, sometimes, the categorization result of the IP address and domain name of the same website could be different.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.

URL categories are organized into the URL filtering groups shown in Table 4-3.

Table 4-3 Grouping Definition for URL Categories

Category Group

Description

Adult

Sites that may be considered inappropriate for children

Business

Sites related to business, employment, or commerce

Communications and Search

Sites that provide tools and services for online communications and search

General

Sites not classified in other category groups, including unrated sites

Internet Security

Potentially harmful sites, including sites known to have malware

Lifestyle

Sites about lifestyle preferences, including sexual, political, or religious orientations, as well as recreation and entertainment

Network Bandwidth

Sites that offer services that can significantly impact available network bandwidth

Note For URL filtering to work correctly, the CSC SSM must be able to send HTTP requests to the Trend Micro service. If an HTTP proxy is required, configure the proxy setting by choosing Update > Proxy Settings.

URL Filtering Categories

Table 4-4 lists definitions of the URL filtering categories and the assigned group.

Table 4-4 URL Filtering Category Definitions

Category Group

Category Type

Category Definition

Adult

Abortion

Sites that promote, encourage, or discuss abortion, including sites that cover moral or political views on abortion

Adult

Adult/Mature Content

Sites with profane or vulgar content generally considered inappropriate for minors; includes sites that offer erotic content or ads for sexual services, but excludes sites with sexually explicit images

Adult

Alcohol/Tobacco

Sites that promote, sell, or provide information about alcohol or tobacco products

Adult

Gambling

Sites that promote or provide information on gambling, including online gambling sites

Adult

Illegal Drugs

Sites that promote, glamorize, supply, sell, or explain how to use illicit or illegal intoxicants

Adult

Illegal/Questionable

Sites that promote and discuss how to perpetrate "nonviolent" crimes, including burglary, fraud, intellectual property theft, and plagiarism; includes sites that sell plagiarized or stolen materials

Adult

Intimate Apparel/ Swimsuit

Sites that sell swimsuits or intimate apparel with models wearing them

Adult

Marijuana

Sites that discuss the cultivation, use, or preparation of marijuana, or sell related paraphernalia

Adult

Nudity

Sites showing nude or partially nude images that are generally considered artistic, not vulgar or pornographic

Adult

Pornography

Sites with sexually explicit imagery designed for sexual arousal, including sites that offer sexual services

Sites with content that is gratuitously offensive and shocking; includes sites that show extreme forms of body modification or mutilation and animal cruelty

Adult

Violence/Hate/ Racism

Sites that promote hate and violence; includes sites that espouse prejudice against a social group, extremely violent and physically dangerous activities, mutilation and gore, or the creation of destructive devices

Adult

Weapons

Sites about weapons, including their accessories and use; excludes sites about military institutions or sites that discuss weapons as sporting or recreational equipment

Business

Auctions

Sites that serve as venues for selling or buying goods through bidding, including business sites that are being auctioned

Business

Brokerage/Trading

Sites about investments in stocks or bonds, including online trading sites; includes sites about vehicle insurance

Business

Business/Economy

Sites about business and the economy, including entrepreneurship and marketing; includes corporate sites that do not fall under other categories

Business

Financial Services

Sites that provide information about or offer basic financial services, including sites owned by businesses in the financial industry

Business

Job Search/Careers

Sites about finding employment or employment services

Business

Real Estate

Sites about real estate, including those that provide assistance selling, leasing, purchasing, or renting property

Business

Shopping

Sites that sell goods or support the sales of goods that do not fall under other categories; excludes online auction or bidding sites

Communications and Search

Blogs/Web Communications

Blog sites or forums on varying topics or topics not covered by other categories; sites that offer multiple types of web-based communication, such as e-mail or instant messaging

Sites about computers, the Internet, or related technology, including sites that sell or provide reviews of electronic devices

General

Education

School sites, distance learning sites, and other education-related sites

General

Government/Legal

Sites about the government, including laws or policies; excludes government military or health sites

General

Health

Sites about health, fitness, or well-being

General

Military

Sites about military institutions or armed forces; excludes sites that discuss or sell weapons or military equipment

General

News/Media

Sites about the news, current events, contemporary issues, or the weather; includes online magazines whose topics do not fall under other categories

General

Political

Sites that discuss or are sponsored by political parties, interest groups, or similar organizations involved in public policy issues; includes non-hate sites that discuss conspiracy theories or alternative views on government

Sites that provide downloadable "joke" software, including applications that can unsettle users

Internet Security

Made for AdSense sites (MFA)

Sites that use scraped or copied content to pollute search engines with redundant and generally unwanted results

Internet Security

Malware/Virus Accomplice

Sites used by malicious programs, including sites used to host upgrades or store stolen information

Internet Security

Password Cracking Application

Sites that distribute password cracking software

Internet Security

Phishing

Fraudulent sites that mimic legitimate sites to gather sensitive information, such as user names and passwords

Internet Security

Potentially Malicious Software

Sites that contain potentially harmful downloads

Internet Security

Proxy Avoidance

Sites about bypassing proxy servers or web filtering systems, including sites that provide tools for that purpose

Internet Security

Remote Access Program

Sites that provide tools for remotely monitoring and controlling computers

Internet Security

Spam

Sites whose addresses have been found in spam messages

Internet Security

Spyware

Sites with downloads that gather and transmit data from computers owned by unsuspecting users

Internet Security

Web Advertisement

Sites dedicated to displaying advertisements, including sites used to display banner or popup ads

Lifestyle

Activist Groups

Sites that promote change in public policy, public opinion, social practice, economic activities, or economic relationships; includes sites controlled by service, philanthropic, professional, or labor organizations

Lifestyle

Alternative Journals

Online equivalents of supermarket tabloids and other fringe publications

Lifestyle

Arts/Entertainment

Sites that promote or provide information about movies, music, non-news radio and television, books, humor, or magazines

Lifestyle

Cult/Occult

Sites about alternative religions, beliefs, and religious practices, including those considered cult or occult

Lifestyle

Cultural Institutions

Sites controlled by organizations that seek to preserve cultural heritage, such as libraries or museums; also covers sites owned by the Boy Scouts, the Girl Scouts, Rotary International, and similar organizations

Lifestyle

For Kids

Sites designed for children

Lifestyle

Games

Sites about board games, card games, console games, or computer games; includes sites that sell games or related merchandise

Lifestyle

Gay/Lesbian

Sites about gay, lesbian, transgender, or bisexual lifestyles

Lifestyle

Humor/Jokes

Sites about motorized transport, including customization, procurement of parts and actual vehicles, or repair services; excludes sites about military vehicles

Lifestyle

Personal Websites

Sites maintained by individuals about themselves or their interests; excludes personal pages in social networking sites, blog sites, or similar services

Lifestyle

Personals/Dating

Sites that help visitors establish relationships, including sites that provide singles listings, matchmaking, or dating services

Lifestyle

Recreation/Hobbies

Sites about recreational activities and hobbies, such as collecting, gardening, outdoor activities, traditional (non-video) games, and crafts; includes sites about pets, recreational facilities, or recreational organizations

Lifestyle

Religion

Sites about popular religions, their practices, or their places of worship

Filtering Rules, Exceptions, and Time

Step 2 Click Enable to enable the URL filtering feature, or accept the default setting, which is enabled.

Step 3 Check the Include HTTPS filtering check box to include HTTPS URL filtering, when appropriate.

Step 4 Check the Include User Group Policies check box to include user group policies, if appropriate.

Step 5 On the Rules tab, review the subcategories listed under each category. (See Figure 4-5.) For example, "Illegal Drugs" is a subcategory of the "Adult" category. If your organization is a financial services company, you may want to filter this category. Check the Illegal Drugscheck boxes for Work and Leisure time to enable filtering for sites related to illegal drugs. However, if your organization is a law enforcement agency, you should clear the Illegal Drugs subcategory.

Step 6 For each of the seven groups of categories, specify whether the URLs are blocked, and if so, during work time, leisure time, or both.

Figure 4-5 URL Filtering: Global Policy Rules Tab

Step 7 If you believe a particular URL has been misclassified, you can check the category of the URL and request it be reclassified by clicking the link in the Note section at the bottom of the page.

Step 8 If there are sites within the enabled subcategories that you do not want filtered, click the HTTP Exceptions or the HTTPS Exceptions tabs. (See Figure 4-6 and Figure 4-7.)

Step 9 Type the URLs you want to exclude from filtering in the Match field. You can specify the exact website name or IP address, a URL keyword, and a string.

See the online help for more information about formatting entries in the Match field.

Note You can also import a list of URL filtering exceptions. The imported file must be in a specific format. See the online help for instructions.

Figure 4-6 URL Filtering: Global Policy HTTP Exceptions Tab

Step 10 Click Add after each entry to move it to the "URL to the Do Not Filter the Following HTTP Sites"list. Entries remain as exceptions until you remove them. you can do the same on the HTTPS Exceptions tab, except you can only add domain names or IP addresses. Keywords and strings are not allowed.

Figure 4-7 URL Filtering: Global Policy HTTPS Exceptions Tab

Step 11 Click the Time Allotment tab.

Step 12 Define the days of the week and hours of the day that should be considered work time. Time not designated as work time is automatically designated as leisure time. Figure 4-8 shows 8:00 a.m. through 12:00 a.m. and 1:00 p.m. through 5:00 p.m. as work time.)

•For setting work days, check the check box for the days of the week to be designated as work days.

•For setting work time, click the hours to be designated as work time.

Web reputation also assigns reputation scores to URLs. For each accessed URL, CSC SSM queries web reputation for a reputation score and then takes the necessary action, based on whether this score is below or above the user-specified sensitivity level.

CSC SSM has a feature that enables the device to automatically provide feedback on infected URLs, which helps improve the web reputation database. If enabled, this feedback includes product name and version, URL, and virus name. (It does not include IP address information, so all feedback is anonymous and protects company information.) Web reputation results are located in the Web Reputation log (choose Logs > Query > Web Reputation) and by clicking the Summary > Web (HTTP/HTTPS) tab.

With Trend Micro web reputation technology (part of the Smart Protection Network), you can perform website scanning at varying levels of protection (low, medium, and high) and add websites to the Exceptions List (yourcompany.com, for example), so that websites can be viewed without scanning or blocking.

Note Preapproving websites must be done carefully. Not scanning or blocking a website could pose a security risk.

HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.

Anti-Phishing Using Web Reputation

CSC SSM provides anti-phishing through web reputation and URL filtering. Both features require a Plus License.

•Phishing sites blocked by URL filtering are blocked by the Phishing category and will give a "Phishing" message.

Web Reputation Database

The web reputation database resides on a remote server. When a user attempts to access a URL, CSC SSM retrieves information about this URL from the web reputation database and stores it in the local cache. Having the web reputation database on a remote server and building the local cache with this database information reduces the overhead on CSC SSM and improves performance.

The web reputation database is updated with the latest security information about web pages. If you believe the reputation of a URL is misclassified or you want to know the reputation of a URL, use the following URL to notify Trend Micro:

Security Sensitivity Level

Upon receiving a web reputation score, CSC SSM determines whether the score is below or above the preferred threshold. The threshold of sensitivity level is defined by the user. Medium is the default sensitivity setting. Trend Micro recommends this setting because it blocks most web threats while not creating many false positives.

HTTP Exceptions

Listing a website within the web reputation approved list allows CSC SSM to bypass any malicious code scans on the listed site. Web reputation scanning exceptions can be defined by entering the complete website URL or IP address, a URL keyword, a string, or by importing an existing exception list of URLs.

Caution Lack of scanning could cause security holes if a website on the Approved list has been hacked and has had malicious code injected.

After you have specified a URL as an exception to web reputation, you can include it in web reputation scanning by selecting the URL in the Approved List and clicking Remove to delete it from the list. Click Remove All to delete all URLs in the Approved List.

HTTPS Exceptions

Listing trusted websites within the web reputation approved list allows CSC SSM to bypass any malicious code scans on the listed sites. Web reputation scanning exceptions can be defined by entering the domain, IP address, or by importing an existing exception list.

Caution Lack of scanning could cause security holes if a website on the Approved list has been hacked and has had malicious code injected.

To specify web reputation HTTPS exceptions, perform the following steps:

•Import an approved exceptions list. For more information about importing an exceptions list, see the "HTTP URL Filtering Settings - URL Filtering Exceptions" online help topic.

Step 3 Click Add.

Step 4 Click Save.

After you have specified a domain or IP address as an exception to web reputation, you can later include it in web reputation scanning by selecting the IP or domain name in the Approved List and clicking Remove to delete it from the list. Click Remove All to delete all domain names or IP addresses in the Approved List.

URL Blocking and Filtering Policies for Users/Groups

CSC SSM has a policy framework that allows the association of URL filtering and blocking policies to specific groups or individual users based on the user or group identity. This feature includes:

•Identification settings

•Microsoft Active Directory service support

•Policy item management

•User/Group-based log and report

Note Both URL filtering and URL blocking require a Plus License.

CSC SSM supports up to 20 URL filtering and blocking policies for users and groups. The Domain Controller Agent software can be deployed on a Domain Controller Server or Windows machine that is on the Intranet. The agent communicates with CSC SSM over a secure, TCP port and works with Microsoft Active Directory.

Before using user/group policies for URL filtering and blocking, enable the following:

The All Policiestab on the URL Blocking & Filtering Policies screen displays existing policies and provides the following information:

•Policy Type—Lists the policy by type, either Filtering or Blocking

•Policy Name—Shows the descriptive name assigned to identify the policy

•Status—Indicates if the policy is enabled (green check) or disabled (red check)

•Priority—Indicates the order in which the policies will be enforced. For example, if a policy has an exception and has a higher priority than another policy, this policy will override the rules of the lower priority policy. Any global policies configured under URL filtering or URL blocking will always have the lowest priority.

The Policies by User/Group tab offers search capabilities for existing policies. Editing policies is possible from this screen by clicking the policy name.

Add/Edit URL Blocking Policies for Users/Groups

URL blocking is an important tool for managing employee Internet use in your organization. With URL blocking, you can prohibit access to URLs that may distract employees from productive use of their time or may even result in legal liability. The process of adding a blocking policy for groups or users begins with choosing a template and creating an account.

If Global Policy - URL Blocking appears in the list of policies, this policy was configured on the Web (HTTP/HTTPS) > Global Settings > URL Blocking screen. Priority settings can be changed for user and group policy by choosing Web (HTTP/HTTPS) > User Group Policies > URL Blocking & Filtering. Go to the far right column in the table that lists the policies, and click the up and down arrows to adjust the priority. Global policies will always have the lowest priority.

Prerequisites

•A method of user/group identification must be selected by choosing Administration > Device Settings > User ID Settings, and the Domain Controller Agent must be installed and configured. For more information, see the "Configuring User ID Settings" section on page 6-3.

Selecting a Template

To select a template for the first rule of a URL blocking policy, perform the following steps:

Step 3 (Optional) Check the Enable policy check box to have the policy enabled as soon as it is created. (See Figure 4-10.) You can also check the Enable HTTPS filtering option to include the filtering of HTTPS URLs.

•URLs are blocked by the Trend Micro scan engine (via a pattern file).

The "Step 2: Specify Block Rule via HTTP Local List" page and the "Step 3: Specify Block Rule via HTTPS List" page are similar to Figure 4-3 and used in Step 6 and Step 8 of the Creating Accounts procedure. These pages allow you to specify sites that you want to permit or prohibit access to for specific users or groups in your organization via a local list.

Enabling a User/Group Blocking Policy

When the URL blocking function is disabled at the global level, end users can access any domains or URLs from your network via HTTP. When URL blocking is enabled at the global level, all users in your network are prevented from accessing certain domains and URLs. User/group policies allow you to select the domains and URLs that can be viewed by specific users or groups.

Adding or Editing URL Filtering Policies for Users/Groups

URL filtering for users/groups allows you to filter categories of websites such as "Adult" or "Social," that specific users or groups of users may access. Site classification will vary from one organization to the next, depending on the business being conducted. For example, the subcategory "violence/hate crime" may not be work-related in a manufacturing company, but may be defined as work-related in a news reporting organization.

Some company prohibited sites might always be blocked (on the URL Filtering Rules screen) during both work time and leisure time, but if you want to allow employees to use chat sites during leisure time, you can specify those sites be blocked only during work time.

If a Global Policy - URL Filtering policy already exists, it was configured by choosing Web (HTTP/HTTPS) > Global Settings > URL Filtering and was applied to all users. User or group policy will always have a higher priority than the global policy. Priority settings can be changed for user and group policy by choosing Web (HTTP/HTTPS) > User Group Policies > URL Blocking & Filtering. Go to the far right column in the table that lists the policies, and click the up and down arrows to adjust the priority. Global policies will always have the lowest priority.

Creating Accounts

Step 2 In the accounts section (similar to what is shown in Figure 4-10), select the method of user or group identification you will use: LDAP or IP address. This selection must match the user identification method selected by choosing Administration > Device Settings > User ID Settings. Both methods of identification (LDAP and IP address) can be used if the identification method is configured correctly.

Step 3 To select users, do one of the following:

•For LDAP identification, select the radio button for either the entire LDAP list or use the search function to find a specific name or group.

•For IP address identification, enter a range of IP addresses, a single IP address, or a host name.

Step 4 Select the username, group name, IP address or range of IP addresses, then click Add to add users, groups, or IP addresses to the Selected field.

Adding User Group Filtering Policy Rules

This screen allows you to define rules for user or group policies that allow or disallow access to categories, or parts of categories, of URLs during work or leisure time. The categories are as follows:

Specifying Exceptions to the User Group Filtering Policy

The URL Filtering Policy: Add Policy (Step 3: Specify HTTP Exceptions and the Step 4: Specify HTTPS Exceptions) screens, similar to what is shown in Figure 4-6 and Figure 4-7, allow you to identify URLs that are excluded from filtering. For example, you may have elected to assign the subcategory "shopping" to the work-time filtered category. However, your Finance Department needs access to URLs of certain vendors offering online shopping service to purchase office supplies, furniture, software, hardware and other business equipment, airline tickets, and so on. Identify those vendors as exceptions to allow access to their URLs.